<!DOCTYPE html>
<html class='v2' dir='ltr' xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmlns:data='http://www.google.com/2005/gml/data' xmlns:expr='http://www.google.com/2005/gml/expr'>
<head>
<link href='https://www.blogger.com/static/v1/widgets/1529571102-css_bundle_v2.css' rel='stylesheet' type='text/css'/>
<meta content='IE=EmulateIE7' http-equiv='X-UA-Compatible'/>
<meta content='width=1100' name='viewport'/>
<meta content='text/html; charset=UTF-8' http-equiv='Content-Type'/>
<meta content='blogger' name='generator'/>
<link href='https://blog.malwaremustdie.org/favicon.ico' rel='icon' type='image/x-icon'/>
<link href='https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html' rel='canonical'/>
<link rel="alternate" type="application/atom+xml" title="Malware Must Die! - Atom" href="https://blog.malwaremustdie.org/feeds/posts/default" />
<link rel="alternate" type="application/rss+xml" title="Malware Must Die! - RSS" href="https://blog.malwaremustdie.org/feeds/posts/default?alt=rss" />
<link rel="service.post" type="application/atom+xml" title="Malware Must Die! - Atom" href="https://www.blogger.com/feeds/8268358095554400245/posts/default" />

<link rel="alternate" type="application/atom+xml" title="Malware Must Die! - Atom" href="https://blog.malwaremustdie.org/feeds/8300877980843573006/comments/default" />
<!--[if IE]><script type="text/javascript" src="https://www.blogger.com/static/v1/jsbin/2287435483-ieretrofit.js"></script>
<![endif]-->
<link href='https://lh3.googleusercontent.com/58YEFVF-KZsSkmn8kvB8Tgth6VmcLHujsJCXpyic5GrXNHLR9TYqkJpymvzGv2tpMNlN6vdIojrhzoRkYwRg5PLuj7Yj03fdPac-CJUEVSyFeBd1TX52UpHabUOkuaRiBjgiqTrqiW8=w300-h1864-no' rel='image_src'/>
<meta content='https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html' property='og:url'/>
<meta content='MMD-0065-2020 - Linux/Mirai-Fbot&#39;s new encryption explained' property='og:title'/>
<meta content='MalwareMustDie (MMD) is a whitehat workgroup to reduce malware, this blog advocates research on new malware threats &amp; Linux malware.' property='og:description'/>
<meta content='https://lh3.googleusercontent.com/58YEFVF-KZsSkmn8kvB8Tgth6VmcLHujsJCXpyic5GrXNHLR9TYqkJpymvzGv2tpMNlN6vdIojrhzoRkYwRg5PLuj7Yj03fdPac-CJUEVSyFeBd1TX52UpHabUOkuaRiBjgiqTrqiW8=w1200-h630-p-k-no-nu' property='og:image'/>
<!--[if IE]> <script> (function() { var html5 = ("abbr,article,aside,audio,canvas,datalist,details," + "figure,footer,header,hgroup,mark,menu,meter,nav,output," + "progress,section,time,video").split(','); for (var i = 0; i < html5.length; i++) { document.createElement(html5[i]); } try { document.execCommand('BackgroundImageCache', false, true); } catch(e) {} })(); </script> <![endif]-->
<title>Malware Must Die!: MMD-0065-2020 - Linux/Mirai-Fbot's new encryption explained</title>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async='async' src='https://www.googletagmanager.com/gtag/js?id=UA-180537376-1'></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-180537376-1');
</script>
<style id='page-skin-1' type='text/css'><!--
/*
-----------------------------------------------
Blogger Template Style
Name:     Awesome Inc.
Designer: Tina Chen
----------------------------------------------- */
/* Variable definitions
====================
<Variable name="keycolor" description="Main Color" type="color" default="#ffffff"/>
<Group description="Page" selector="body">
<Variable name="body.font" description="Font" type="font"
default="normal normal 13px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="body.background.color" description="Background Color" type="color" default="#000000"/>
<Variable name="body.text.color" description="Text Color" type="color" default="#ffffff"/>
</Group>
<Group description="Links" selector=".main-inner">
<Variable name="link.color" description="Link Color" type="color" default="#888888"/>
<Variable name="link.visited.color" description="Visited Color" type="color" default="#444444"/>
<Variable name="link.hover.color" description="Hover Color" type="color" default="#cccccc"/>
</Group>
<Group description="Blog Title" selector=".header h1">
<Variable name="header.font" description="Title Font" type="font"
default="normal bold 40px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="header.text.color" description="Title Color" type="color" default="#ffffff" />
<Variable name="header.background.color" description="Header Background" type="color" default="transparent" />
</Group>
<Group description="Blog Description" selector=".header .description">
<Variable name="description.font" description="Font" type="font"
default="normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="description.text.color" description="Text Color" type="color"
default="#ffffff" />
</Group>
<Group description="Tabs Text" selector=".tabs-inner .widget li a">
<Variable name="tabs.font" description="Font" type="font"
default="normal bold 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="tabs.text.color" description="Text Color" type="color" default="#ffffff"/>
<Variable name="tabs.selected.text.color" description="Selected Color" type="color" default="#ffffff"/>
</Group>
<Group description="Tabs Background" selector=".tabs-outer .PageList">
<Variable name="tabs.background.color" description="Background Color" type="color" default="#141414"/>
<Variable name="tabs.selected.background.color" description="Selected Color" type="color" default="#444444"/>
<Variable name="tabs.border.color" description="Border Color" type="color" default="#222222"/>
</Group>
<Group description="Date Header" selector=".main-inner .widget h2.date-header, .main-inner .widget h2.date-header span">
<Variable name="date.font" description="Font" type="font"
default="normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="date.text.color" description="Text Color" type="color" default="#666666"/>
<Variable name="date.border.color" description="Border Color" type="color" default="#222222"/>
</Group>
<Group description="Post Title" selector="h3.post-title, h4, h3.post-title a">
<Variable name="post.title.font" description="Font" type="font"
default="normal bold 22px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="post.title.text.color" description="Text Color" type="color" default="#ffffff"/>
</Group>
<Group description="Post Background" selector=".post">
<Variable name="post.background.color" description="Background Color" type="color" default="#141414" />
<Variable name="post.border.color" description="Border Color" type="color" default="#222222" />
<Variable name="post.border.bevel.color" description="Bevel Color" type="color" default="#222222"/>
</Group>
<Group description="Gadget Title" selector="h2">
<Variable name="widget.title.font" description="Font" type="font"
default="normal bold 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="widget.title.text.color" description="Text Color" type="color" default="#ffffff"/>
</Group>
<Group description="Gadget Text" selector=".sidebar .widget">
<Variable name="widget.font" description="Font" type="font"
default="normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="widget.text.color" description="Text Color" type="color" default="#ffffff"/>
<Variable name="widget.alternate.text.color" description="Alternate Color" type="color" default="#666666"/>
</Group>
<Group description="Gadget Links" selector=".sidebar .widget">
<Variable name="widget.link.color" description="Link Color" type="color" default="#888888"/>
<Variable name="widget.link.visited.color" description="Visited Color" type="color" default="#444444"/>
<Variable name="widget.link.hover.color" description="Hover Color" type="color" default="#cccccc"/>
</Group>
<Group description="Gadget Background" selector=".sidebar .widget">
<Variable name="widget.background.color" description="Background Color" type="color" default="#141414"/>
<Variable name="widget.border.color" description="Border Color" type="color" default="#222222"/>
<Variable name="widget.border.bevel.color" description="Bevel Color" type="color" default="#000000"/>
</Group>
<Group description="Sidebar Background" selector=".column-left-inner .column-right-inner">
<Variable name="widget.outer.background.color" description="Background Color" type="color" default="transparent" />
</Group>
<Group description="Images" selector=".main-inner">
<Variable name="image.background.color" description="Background Color" type="color" default="transparent"/>
<Variable name="image.border.color" description="Border Color" type="color" default="transparent"/>
</Group>
<Group description="Feed" selector=".blog-feeds">
<Variable name="feed.text.color" description="Text Color" type="color" default="#ffffff"/>
</Group>
<Group description="Feed Links" selector=".blog-feeds">
<Variable name="feed.link.color" description="Link Color" type="color" default="#888888"/>
<Variable name="feed.link.visited.color" description="Visited Color" type="color" default="#444444"/>
<Variable name="feed.link.hover.color" description="Hover Color" type="color" default="#cccccc"/>
</Group>
<Group description="Pager" selector=".blog-pager">
<Variable name="pager.background.color" description="Background Color" type="color" default="#141414" />
</Group>
<Group description="Footer" selector=".footer-outer">
<Variable name="footer.background.color" description="Background Color" type="color" default="#141414" />
<Variable name="footer.text.color" description="Text Color" type="color" default="#ffffff" />
</Group>
<Variable name="title.shadow.spread" description="Title Shadow" type="length" default="-1px" min="-1px" max="100px"/>
<Variable name="body.background" description="Body Background" type="background"
color="#000000"
default="$(color) none repeat scroll top left"/>
<Variable name="body.background.gradient.cap" description="Body Gradient Cap" type="url"
default="none"/>
<Variable name="body.background.size" description="Body Background Size" type="string" default="auto"/>
<Variable name="tabs.background.gradient" description="Tabs Background Gradient" type="url"
default="none"/>
<Variable name="header.background.gradient" description="Header Background Gradient" type="url" default="none" />
<Variable name="header.padding.top" description="Header Top Padding" type="length" default="22px" min="0" max="100px"/>
<Variable name="header.margin.top" description="Header Top Margin" type="length" default="0" min="0" max="100px"/>
<Variable name="header.margin.bottom" description="Header Bottom Margin" type="length" default="0" min="0" max="100px"/>
<Variable name="widget.padding.top" description="Widget Padding Top" type="length" default="8px" min="0" max="20px"/>
<Variable name="widget.padding.side" description="Widget Padding Side" type="length" default="15px" min="0" max="100px"/>
<Variable name="widget.outer.margin.top" description="Widget Top Margin" type="length" default="0" min="0" max="100px"/>
<Variable name="widget.outer.background.gradient" description="Gradient" type="url" default="none" />
<Variable name="widget.border.radius" description="Gadget Border Radius" type="length" default="0" min="0" max="100px"/>
<Variable name="outer.shadow.spread" description="Outer Shadow Size" type="length" default="0" min="0" max="100px"/>
<Variable name="date.header.border.radius.top" description="Date Header Border Radius Top" type="length" default="0" min="0" max="100px"/>
<Variable name="date.header.position" description="Date Header Position" type="length" default="15px" min="0" max="100px"/>
<Variable name="date.space" description="Date Space" type="length" default="30px" min="0" max="100px"/>
<Variable name="date.position" description="Date Float" type="string" default="static" />
<Variable name="date.padding.bottom" description="Date Padding Bottom" type="length" default="0" min="0" max="100px"/>
<Variable name="date.border.size" description="Date Border Size" type="length" default="0" min="0" max="10px"/>
<Variable name="date.background" description="Date Background" type="background" color="transparent"
default="$(color) none no-repeat scroll top left" />
<Variable name="date.first.border.radius.top" description="Date First top radius" type="length" default="0" min="0" max="100px"/>
<Variable name="date.last.space.bottom" description="Date Last Space Bottom" type="length"
default="20px" min="0" max="100px"/>
<Variable name="date.last.border.radius.bottom" description="Date Last bottom radius" type="length" default="0" min="0" max="100px"/>
<Variable name="post.first.padding.top" description="First Post Padding Top" type="length" default="0" min="0" max="100px"/>
<Variable name="image.shadow.spread" description="Image Shadow Size" type="length" default="0" min="0" max="100px"/>
<Variable name="image.border.radius" description="Image Border Radius" type="length" default="0" min="0" max="100px"/>
<Variable name="separator.outdent" description="Separator Outdent" type="length" default="15px" min="0" max="100px"/>
<Variable name="title.separator.border.size" description="Widget Title Border Size" type="length" default="1px" min="0" max="10px"/>
<Variable name="list.separator.border.size" description="List Separator Border Size" type="length" default="1px" min="0" max="10px"/>
<Variable name="shadow.spread" description="Shadow Size" type="length" default="0" min="0" max="100px"/>
<Variable name="startSide" description="Side where text starts in blog language" type="automatic" default="left"/>
<Variable name="endSide" description="Side where text ends in blog language" type="automatic" default="right"/>
<Variable name="date.side" description="Side where date header is placed" type="string" default="right"/>
<Variable name="pager.border.radius.top" description="Pager Border Top Radius" type="length" default="0" min="0" max="100px"/>
<Variable name="pager.space.top" description="Pager Top Space" type="length" default="1em" min="0" max="20em"/>
<Variable name="footer.background.gradient" description="Background Gradient" type="url" default="none" />
<Variable name="mobile.background.size" description="Mobile Background Size" type="string"
default="auto"/>
<Variable name="mobile.background.overlay" description="Mobile Background Overlay" type="string"
default="transparent none repeat scroll top left"/>
<Variable name="mobile.button.color" description="Mobile Button Color" type="color" default="#ffffff" />
*/
/* Content
----------------------------------------------- */
body {
font: normal normal 13px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
background: #000000 none no-repeat scroll center center;
}
html body .content-outer {
min-width: 0;
max-width: 100%;
width: 100%;
}
a:link {
text-decoration: none;
color: #888888;
}
a:visited {
text-decoration: none;
color: #444444;
}
a:hover {
text-decoration: underline;
color: #cccccc;
}
.body-fauxcolumn-outer .cap-top {
position: absolute;
z-index: 1;
height: 276px;
width: 100%;
background: transparent none repeat-x scroll top left;
_background-image: none;
}
/* Columns
----------------------------------------------- */
.content-inner {
padding: 0;
}
.header-inner .section {
margin: 0 16px;
}
.tabs-inner .section {
margin: 0 16px;
}
.main-inner {
padding-top: 30px;
}
.main-inner .column-center-inner,
.main-inner .column-left-inner,
.main-inner .column-right-inner {
padding: 0 5px;
}
*+html body .main-inner .column-center-inner {
margin-top: -30px;
}
#layout .main-inner .column-center-inner {
margin-top: 0;
}
/* Header
----------------------------------------------- */
.header-outer {
margin: 0 0 0 0;
background: transparent none repeat scroll 0 0;
}
.Header h1 {
font: normal bold 40px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
text-shadow: 0 0 -1px #000000;
}
.Header h1 a {
color: #ffffff;
}
.Header .description {
font: normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
}
.header-inner .Header .titlewrapper,
.header-inner .Header .descriptionwrapper {
padding-left: 0;
padding-right: 0;
margin-bottom: 0;
}
.header-inner .Header .titlewrapper {
padding-top: 22px;
}
/* Tabs
----------------------------------------------- */
.tabs-outer {
overflow: hidden;
position: relative;
background: #141414 none repeat scroll 0 0;
}
#layout .tabs-outer {
overflow: visible;
}
.tabs-cap-top, .tabs-cap-bottom {
position: absolute;
width: 100%;
border-top: 1px solid #222222;
}
.tabs-cap-bottom {
bottom: 0;
}
.tabs-inner .widget li a {
display: inline-block;
margin: 0;
padding: .6em 1.5em;
font: normal bold 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
border-top: 1px solid #222222;
border-bottom: 1px solid #222222;
border-left: 1px solid #222222;
height: 16px;
line-height: 16px;
}
.tabs-inner .widget li:last-child a {
border-right: 1px solid #222222;
}
.tabs-inner .widget li.selected a, .tabs-inner .widget li a:hover {
background: #444444 none repeat-x scroll 0 -100px;
color: #ffffff;
}
/* Headings
----------------------------------------------- */
h2 {
font: normal bold 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
}
/* Widgets
----------------------------------------------- */
.main-inner .section {
margin: 0 27px;
padding: 0;
}
.main-inner .column-left-outer,
.main-inner .column-right-outer {
margin-top: 0;
}
#layout .main-inner .column-left-outer,
#layout .main-inner .column-right-outer {
margin-top: 0;
}
.main-inner .column-left-inner,
.main-inner .column-right-inner {
background: transparent none repeat 0 0;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-moz-border-radius: 0;
-webkit-border-radius: 0;
-goog-ms-border-radius: 0;
border-radius: 0;
}
#layout .main-inner .column-left-inner,
#layout .main-inner .column-right-inner {
margin-top: 0;
}
.sidebar .widget {
font: normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
}
.sidebar .widget a:link {
color: #888888;
}
.sidebar .widget a:visited {
color: #444444;
}
.sidebar .widget a:hover {
color: #cccccc;
}
.sidebar .widget h2 {
text-shadow: 0 0 -1px #000000;
}
.main-inner .widget {
background-color: #141414;
border: 1px solid #222222;
padding: 0 15px 15px;
margin: 20px -16px;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-moz-border-radius: 0;
-webkit-border-radius: 0;
-goog-ms-border-radius: 0;
border-radius: 0;
}
.main-inner .widget h2 {
margin: 0 -15px;
padding: .6em 15px .5em;
border-bottom: 1px solid #000000;
}
.footer-inner .widget h2 {
padding: 0 0 .4em;
border-bottom: 1px solid #000000;
}
.main-inner .widget h2 + div, .footer-inner .widget h2 + div {
border-top: 1px solid #222222;
padding-top: 8px;
}
.main-inner .widget .widget-content {
margin: 0 -15px;
padding: 7px 15px 0;
}
.main-inner .widget ul, .main-inner .widget #ArchiveList ul.flat {
margin: -8px -15px 0;
padding: 0;
list-style: none;
}
.main-inner .widget #ArchiveList {
margin: -8px 0 0;
}
.main-inner .widget ul li, .main-inner .widget #ArchiveList ul.flat li {
padding: .5em 15px;
text-indent: 0;
color: #666666;
border-top: 1px solid #222222;
border-bottom: 1px solid #000000;
}
.main-inner .widget #ArchiveList ul li {
padding-top: .25em;
padding-bottom: .25em;
}
.main-inner .widget ul li:first-child, .main-inner .widget #ArchiveList ul.flat li:first-child {
border-top: none;
}
.main-inner .widget ul li:last-child, .main-inner .widget #ArchiveList ul.flat li:last-child {
border-bottom: none;
}
.post-body {
position: relative;
}
.main-inner .widget .post-body ul {
padding: 0 2.5em;
margin: .5em 0;
list-style: disc;
}
.main-inner .widget .post-body ul li {
padding: 0.25em 0;
margin-bottom: .25em;
color: #ffffff;
border: none;
}
.footer-inner .widget ul {
padding: 0;
list-style: none;
}
.widget .zippy {
color: #666666;
}
/* Posts
----------------------------------------------- */
body .main-inner .Blog {
padding: 0;
margin-bottom: 1em;
background-color: transparent;
border: none;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, 0);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, 0);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, 0);
box-shadow: 0 0 0 rgba(0, 0, 0, 0);
}
.main-inner .section:last-child .Blog:last-child {
padding: 0;
margin-bottom: 1em;
}
.main-inner .widget h2.date-header {
margin: 0 -15px 1px;
padding: 0 0 0 0;
font: normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #666666;
background: transparent none no-repeat scroll top left;
border-top: 0 solid #222222;
border-bottom: 1px solid #000000;
-moz-border-radius-topleft: 0;
-moz-border-radius-topright: 0;
-webkit-border-top-left-radius: 0;
-webkit-border-top-right-radius: 0;
border-top-left-radius: 0;
border-top-right-radius: 0;
position: static;
bottom: 100%;
right: 15px;
text-shadow: 0 0 -1px #000000;
}
.main-inner .widget h2.date-header span {
font: normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
display: block;
padding: .5em 15px;
border-left: 0 solid #222222;
border-right: 0 solid #222222;
}
.date-outer {
position: relative;
margin: 30px 0 20px;
padding: 0 15px;
background-color: #141414;
border: 1px solid #222222;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-moz-border-radius: 0;
-webkit-border-radius: 0;
-goog-ms-border-radius: 0;
border-radius: 0;
}
.date-outer:first-child {
margin-top: 0;
}
.date-outer:last-child {
margin-bottom: 20px;
-moz-border-radius-bottomleft: 0;
-moz-border-radius-bottomright: 0;
-webkit-border-bottom-left-radius: 0;
-webkit-border-bottom-right-radius: 0;
-goog-ms-border-bottom-left-radius: 0;
-goog-ms-border-bottom-right-radius: 0;
border-bottom-left-radius: 0;
border-bottom-right-radius: 0;
}
.date-posts {
margin: 0 -15px;
padding: 0 15px;
clear: both;
}
.post-outer, .inline-ad {
border-top: 1px solid #222222;
margin: 0 -15px;
padding: 15px 15px;
}
.post-outer {
padding-bottom: 10px;
}
.post-outer:first-child {
padding-top: 0;
border-top: none;
}
.post-outer:last-child, .inline-ad:last-child {
border-bottom: none;
}
.post-body {
position: relative;
}
.post-body img {
padding: 8px;
background: #222222;
border: 1px solid transparent;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-moz-border-radius: 0;
-webkit-border-radius: 0;
border-radius: 0;
}
h3.post-title, h4 {
font: normal bold 22px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
}
h3.post-title a {
font: normal bold 22px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
}
h3.post-title a:hover {
color: #cccccc;
text-decoration: underline;
}
.post-header {
margin: 0 0 1em;
}
.post-body {
line-height: 1.4;
}
.post-outer h2 {
color: #ffffff;
}
.post-footer {
margin: 1.5em 0 0;
}
#blog-pager {
padding: 15px;
font-size: 120%;
background-color: #141414;
border: 1px solid #222222;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-moz-border-radius: 0;
-webkit-border-radius: 0;
-goog-ms-border-radius: 0;
border-radius: 0;
-moz-border-radius-topleft: 0;
-moz-border-radius-topright: 0;
-webkit-border-top-left-radius: 0;
-webkit-border-top-right-radius: 0;
-goog-ms-border-top-left-radius: 0;
-goog-ms-border-top-right-radius: 0;
border-top-left-radius: 0;
border-top-right-radius-topright: 0;
margin-top: 1em;
}
.blog-feeds, .post-feeds {
margin: 1em 0;
text-align: center;
color: #ffffff;
}
.blog-feeds a, .post-feeds a {
color: #888888;
}
.blog-feeds a:visited, .post-feeds a:visited {
color: #444444;
}
.blog-feeds a:hover, .post-feeds a:hover {
color: #cccccc;
}
.post-outer .comments {
margin-top: 2em;
}
/* Comments
----------------------------------------------- */
.comments .comments-content .icon.blog-author {
background-repeat: no-repeat;
background-image: url();
}
.comments .comments-content .loadmore a {
border-top: 1px solid #222222;
border-bottom: 1px solid #222222;
}
.comments .continue {
border-top: 2px solid #222222;
}
/* Footer
----------------------------------------------- */
.footer-outer {
margin: -0 0 -1px;
padding: 0 0 0;
color: #ffffff;
overflow: hidden;
}
.footer-fauxborder-left {
border-top: 1px solid #222222;
background: #141414 none repeat scroll 0 0;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
margin: 0 -0;
}
/* Mobile
----------------------------------------------- */
body.mobile {
background-size: auto;
}
.mobile .body-fauxcolumn-outer {
background: transparent none repeat scroll top left;
}
*+html body.mobile .main-inner .column-center-inner {
margin-top: 0;
}
.mobile .main-inner .widget {
padding: 0 0 15px;
}
.mobile .main-inner .widget h2 + div,
.mobile .footer-inner .widget h2 + div {
border-top: none;
padding-top: 0;
}
.mobile .footer-inner .widget h2 {
padding: 0.5em 0;
border-bottom: none;
}
.mobile .main-inner .widget .widget-content {
margin: 0;
padding: 7px 0 0;
}
.mobile .main-inner .widget ul,
.mobile .main-inner .widget #ArchiveList ul.flat {
margin: 0 -15px 0;
}
.mobile .main-inner .widget h2.date-header {
right: 0;
}
.mobile .date-header span {
padding: 0.4em 0;
}
.mobile .date-outer:first-child {
margin-bottom: 0;
border: 1px solid #222222;
-moz-border-radius-topleft: 0;
-moz-border-radius-topright: 0;
-webkit-border-top-left-radius: 0;
-webkit-border-top-right-radius: 0;
-goog-ms-border-top-left-radius: 0;
-goog-ms-border-top-right-radius: 0;
border-top-left-radius: 0;
border-top-right-radius: 0;
}
.mobile .date-outer {
border-color: #222222;
border-width: 0 1px 1px;
}
.mobile .date-outer:last-child {
margin-bottom: 0;
}
.mobile .main-inner {
padding: 0;
}
.mobile .header-inner .section {
margin: 0;
}
.mobile .post-outer, .mobile .inline-ad {
padding: 5px 0;
}
.mobile .tabs-inner .section {
margin: 0 10px;
}
.mobile .main-inner .widget h2 {
margin: 0;
padding: 0;
}
.mobile .main-inner .widget h2.date-header span {
padding: 0;
}
.mobile .main-inner .widget .widget-content {
margin: 0;
padding: 7px 0 0;
}
.mobile #blog-pager {
border: 1px solid transparent;
background: #141414 none repeat scroll 0 0;
}
.mobile .main-inner .column-left-inner,
.mobile .main-inner .column-right-inner {
background: transparent none repeat 0 0;
-moz-box-shadow: none;
-webkit-box-shadow: none;
-goog-ms-box-shadow: none;
box-shadow: none;
}
.mobile .date-posts {
margin: 0;
padding: 0;
}
.mobile .footer-fauxborder-left {
margin: 0;
border-top: inherit;
}
.mobile .main-inner .section:last-child .Blog:last-child {
margin-bottom: 0;
}
.mobile-index-contents {
color: #ffffff;
}
.mobile .mobile-link-button {
background: #888888 none repeat scroll 0 0;
}
.mobile-link-button a:link, .mobile-link-button a:visited {
color: #ffffff;
}
.mobile .tabs-inner .PageList .widget-content {
background: transparent;
border-top: 1px solid;
border-color: #222222;
color: #ffffff;
}
.mobile .tabs-inner .PageList .widget-content .pagelist-arrow {
border-left: 1px solid #222222;
}

--></style>
<style id='template-skin-1' type='text/css'><!--
body {
min-width: 960px;
}
.content-outer, .content-fauxcolumn-outer, .region-inner {
min-width: 960px;
max-width: 960px;
_width: 960px;
}
.main-inner .columns {
padding-left: 0px;
padding-right: 310px;
}
.main-inner .fauxcolumn-center-outer {
left: 0px;
right: 310px;
/* IE6 does not respect left and right together */
_width: expression(this.parentNode.offsetWidth -
parseInt("0px") -
parseInt("310px") + 'px');
}
.main-inner .fauxcolumn-left-outer {
width: 0px;
}
.main-inner .fauxcolumn-right-outer {
width: 310px;
}
.main-inner .column-left-outer {
width: 0px;
right: 100%;
margin-left: -0px;
}
.main-inner .column-right-outer {
width: 310px;
margin-right: -310px;
}
#layout {
min-width: 0;
}
#layout .content-outer {
min-width: 0;
width: 800px;
}
#layout .region-inner {
min-width: 0;
width: auto;
}
--></style>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async='async' src='https://www.googletagmanager.com/gtag/js?id=G-GGYD63MC07'></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'G-GGYD63MC07');
</script>
<link href='https://unixfreaxjp.github.io/styles/shCore.css' rel='stylesheet' type='text/css'/>
<link href='https://unixfreaxjp.github.io/styles/shThemeRDark.css' rel='stylesheet' type='text/css'/>
<script src='https://unixfreaxjp.github.io/scripts/shCore.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushCpp.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushCss.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushJava.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushJScript.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushPhp.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushPython.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushRuby.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushSql.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushVb.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushXml.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushPerl.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushPlain.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushBash.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushAsm.js' type='text/javascript'></script>
<script language='javascript'> 
// SyntaxHighlighter.config.bloggerMode = true;
SyntaxHighlighter.all();
</script>
<link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=8268358095554400245&amp;zx=6d699317-e04a-4073-a8ed-9df5a54c7ce9' media='none' onload='if(media!=&#39;all&#39;)media=&#39;all&#39;' rel='stylesheet'/><noscript><link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=8268358095554400245&amp;zx=6d699317-e04a-4073-a8ed-9df5a54c7ce9' rel='stylesheet'/></noscript>
<meta name='google-adsense-platform-account' content='ca-host-pub-1556223355139109'/>
<meta name='google-adsense-platform-domain' content='blogspot.com'/>

<script type="text/javascript" language="javascript">
  // Supply ads personalization default for EEA readers
  // See https://www.blogger.com/go/adspersonalization
  adsbygoogle = window.adsbygoogle || [];
  if (typeof adsbygoogle.requestNonPersonalizedAds === 'undefined') {
    adsbygoogle.requestNonPersonalizedAds = 1;
  }
</script>


</head>
<body class='loading'>
<div class='navbar section' id='navbar'><div class='widget Navbar' data-version='1' id='Navbar1'><script type="text/javascript">
    function setAttributeOnload(object, attribute, val) {
      if(window.addEventListener) {
        window.addEventListener('load',
          function(){ object[attribute] = val; }, false);
      } else {
        window.attachEvent('onload', function(){ object[attribute] = val; });
      }
    }
  </script>
<div id="navbar-iframe-container"></div>
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
<script type="text/javascript">
      gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() {
        if (gapi.iframes && gapi.iframes.getContext) {
          gapi.iframes.getContext().openChild({
              url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d8268358095554400245\x26blogName\x3dMalware+Must+Die!\x26publishMode\x3dPUBLISH_MODE_HOSTED\x26navbarType\x3dLIGHT\x26layoutType\x3dLAYOUTS\x26searchRoot\x3dhttps://blog.malwaremustdie.org/search\x26blogLocale\x3den\x26v\x3d2\x26homepageUrl\x3dhttps://blog.malwaremustdie.org/\x26targetPostID\x3d8300877980843573006\x26blogPostOrPageUrl\x3dhttps://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html\x26vt\x3d-2904915787811343912',
              where: document.getElementById("navbar-iframe-container"),
              id: "navbar-iframe"
          });
        }
      });
    </script><script type="text/javascript">
(function() {
var script = document.createElement('script');
script.type = 'text/javascript';
script.src = '//pagead2.googlesyndication.com/pagead/js/google_top_exp.js';
var head = document.getElementsByTagName('head')[0];
if (head) {
head.appendChild(script);
}})();
</script>
</div></div>
<div class='body-fauxcolumns'>
<div class='fauxcolumn-outer body-fauxcolumn-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</div>
<div class='content'>
<div class='content-fauxcolumns'>
<div class='fauxcolumn-outer content-fauxcolumn-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</div>
<div class='content-outer'>
<div class='content-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left content-fauxborder-left'>
<div class='fauxborder-right content-fauxborder-right'></div>
<div class='content-inner'>
<header>
<div class='header-outer'>
<div class='header-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left header-fauxborder-left'>
<div class='fauxborder-right header-fauxborder-right'></div>
<div class='region-inner header-inner'>
<div class='header section' id='header'><div class='widget Header' data-version='1' id='Header1'>
<div id='header-inner'>
<a href='https://blog.malwaremustdie.org/' style='display: block'>
<img alt='Malware Must Die!' height='77px; ' id='Header1_headerimg' src='https://2.bp.blogspot.com/-rrlkZ50FDJA/UERTcxL8i3I/AAAAAAAAFY8/F5vmhcrbLs4/s1600/MMD.JPG' style='display: block' width='395px; '/>
</a>
<div class='descriptionwrapper'>
<p class='description'><span>The MalwareMustDie Blog (blog.malwaremustdie.org)</span></p>
</div>
</div>
</div></div>
</div>
</div>
<div class='header-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</header>
<div class='tabs-outer'>
<div class='tabs-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left tabs-fauxborder-left'>
<div class='fauxborder-right tabs-fauxborder-right'></div>
<div class='region-inner tabs-inner'>
<div class='tabs no-items section' id='crosscol'></div>
<div class='tabs no-items section' id='crosscol-overflow'></div>
</div>
</div>
<div class='tabs-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<div class='main-outer'>
<div class='main-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left main-fauxborder-left'>
<div class='fauxborder-right main-fauxborder-right'></div>
<div class='region-inner main-inner'>
<div class='columns fauxcolumns'>
<div class='fauxcolumn-outer fauxcolumn-center-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<div class='fauxcolumn-outer fauxcolumn-left-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<div class='fauxcolumn-outer fauxcolumn-right-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<!-- corrects IE6 width calculation -->
<div class='columns-inner'>
<div class='column-center-outer'>
<div class='column-center-inner'>
<div class='main section' id='main'><div class='widget Blog' data-version='1' id='Blog1'>
<div class='blog-posts hfeed'>

          <div class="date-outer">
        
<h2 class='date-header'><span>Wednesday, January 15, 2020</span></h2>

          <div class="date-posts">
        
<div class='post-outer'>
<div class='post hentry' itemscope='itemscope' itemtype='https://schema.org/BlogPosting'>
<a name='8300877980843573006'></a>
<h3 class='post-title entry-title' itemprop='name'>
MMD-0065-2020 - Linux/Mirai-Fbot's new encryption explained
</h3>
<div class='post-header'>
<div class='post-header-line-1'></div>
</div>
<div class='post-body entry-content' id='post-body-8300877980843573006' itemprop='description articleBody'>
<p>
<h2>Prologue</h2>

<p><b><i>[For the most recent information of this threat please follow this ==> <a href="https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html">link</a>]</b></i>

<p>I setup a local brand new ARM base router I bought online around this new year 2020 to replace my old pots, and yesterday, it was soon pwned by malware and I had to reset it to the factory mode to make it work again (never happened before). When the "incident" occurred, the affected router wasn't dead but it was close to a freeze state, allowing me to operate enough to collect artifacts, and when rebooted that poor little box just won't start again. So for some reason the infection somehow ruined the router system. 

<p>As the summary for this case, in the router I found an infection trace of Mirai Linux malware variant called "FBOT", an ARM v5 binary variant, and it is just another modified version of original Mirai malware (after a long list of other variants beforehand). The infection came from a malware spreader/scanner attack from "another" infected internet of things explained later on.

<p>There is an interesting new encryption logic on its configuration section in the binary, alongside with the usage of "legendary" Mirai table's encryption, so hopefully this write-ups will be useful for others to dissect the threat. This may not be an easy reading one you and is a rather technical post, but if you are in forensics or reverse engineering on embedded platforms i.e. IoT or ICS security, you may like it, or, please bear with it. To make the post small and neat I won't go to further detail on router matter itself, and just go straight to the malicious binary that caused the problem, Mirai, is also a malware with a well-known functionality by now. It would be helpful if you know how it works beforehand. So I'll focus to the new decryption part of the artifact.

<p>I changed my analysis platform since SECCON 2019, I use "Tsurugi Linux SECCON edition", a special built version by Giovanni, with hardened/tested by me, supported by the "Trufae" for radare2's r2ghidra & r2dec pre-installing process during the SECCON 2019 time. It's a Linux distribution for binary & forensics analysis, Tsurugi is enriched with pre-compiled r2 with many architecture decompilers (i.e.: r2ghidra, r2dec and pdc), along with ton of useful open source binary analysis, DFIR tools with the OSINT/investigator's mode switch. This OS should suffice the analysis purpose. A new feature of r2ghidra (also r2dec) are used a lot. (The thank's list is in the Epilogue part).

<p>The tool's version info:
<pre class="brush: js">
:> !r2 -v
radare2 4.1.0-git 24455 @ linux-x86-64 git.4.0.0-235-g982be50
commit: 982be504999364c966d339c4c29f20da80128e14 build: 2019-12-17__10:29:05
:> !uname -a
Linux tsurugiseccon 5.4.2-050402-tsurugi #1 SMP Tue Dec 10 21:18:57 CET 2019 x86_64 x86_64 x86_64 GNU/Linux
:>
</pre>
<br>
<a href=https://blog.0day.jp/p/20191218.html><img src="https://lh3.googleusercontent.com/58YEFVF-KZsSkmn8kvB8Tgth6VmcLHujsJCXpyic5GrXNHLR9TYqkJpymvzGv2tpMNlN6vdIojrhzoRkYwRg5PLuj7Yj03fdPac-CJUEVSyFeBd1TX52UpHabUOkuaRiBjgiqTrqiW8=w300-h1864-no"></a><br>(click the image to check details..)
<p>
Okay, let's write this, here we go..
<p>
<h2>The infection</h2>

<p>After successfully getting logs and cleaning them up, below is the timeline (in JST) that contains the infection detail:
<br>
<a href=https://lh3.googleusercontent.com/1D8rOSdaVgI5nXtshxk_vEHQUfPXq95UXGmvaUmqd_sB9Ka6CtVZR3fUnejJ_DDV6uU4gRhQtH5XqrMfruMnDyBbFFUkDAW4e7FWM8KwR__kV7hHXanpV19LlbQ-RXZh_uQr9XXefR0=w1221-h702-no><img src="https://lh3.googleusercontent.com/1D8rOSdaVgI5nXtshxk_vEHQUfPXq95UXGmvaUmqd_sB9Ka6CtVZR3fUnejJ_DDV6uU4gRhQtH5XqrMfruMnDyBbFFUkDAW4e7FWM8KwR__kV7hHXanpV19LlbQ-RXZh_uQr9XXefR0=w580-h702-no"></a>
<p>
We can see one IP address <b>93(.)157(.)152(.)247</b> was gaining a user's login access, after checking of infection condition and following by confirming previous infection binary instance, it downloaded and executed the ".t" payload that was fetched from other IP <b>5(.)206(.)227(.)65</b> afterwards. Other interesting highlights from this infection are: It flushes all the rules in the "filter" table of <b>iptables</b>; Scanning (previous) infections; The usage of SATORI keyword during checking (which is actually not the original one since the original author has been arrested) and the downloading tool used is either the <b>tftp</b> or <b>wget</b>.
<pre class="brush: js">

fbot-arm: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
3ea740687eee84832ecbdb202e8ed743  fbot-arm

</pre>
The compromised IoT that was infecting my device is this kind --> [<a href="https://epononu.en.ecplaza.net/products/ftth-8-pon-ports-gepon-olt_4027566">link</a>] a made-in-China(PRC) "GPON OLT" device. It is important to know that they are vulnerable to this Mirai variant's infection.

<p>During firstly detected, FBOT was running as per Mirai suppose to work, and from the COMM serial connection (telnet & SSH wasn't accessible due to high load average) we can see it runs like below <i>list of file</i> result:
<br>
<a href=https://lh3.googleusercontent.com/9R8UEFJda1ote6VWmaC17bc3pKPNwstdzup0io5uZVseAgW_gy7o9PLcRnQfZlmYize4LJliOj9BDLxcx_lEvU6kSOYtSl3Lwljha2AjnvgYrJgg7rE5h3JmWyFMG6iRP2-8w0lvC2E=w1244-h437-no><img src="https://lh3.googleusercontent.com/9R8UEFJda1ote6VWmaC17bc3pKPNwstdzup0io5uZVseAgW_gy7o9PLcRnQfZlmYize4LJliOj9BDLxcx_lEvU6kSOYtSl3Lwljha2AjnvgYrJgg7rE5h3JmWyFMG6iRP2-8w0lvC2E=w580-h437-no"></a>
<br>
The IP <b>5(.)206(.)227(.)65</b> is also functioned as this FBOT C2 server that looks "out of service" during the above snapshot was taken.
<p>So the binary that was executed was somehow deleted the itself. I can not recover it. An interesting randomized process name is running on a memory area that is showing a successful infection. So, being careful not to shutting down the load average 10 something small system I dumped the binary from memory as per I explained in the R2CON2018 [<a href="https://blog.malwaremustdie.org/p/new-video-of-this-talk-has-just-been.html">link</a>] and 2019.HACK.LU [<a href="https://blog.malwaremustdie.org/2019/10/more-about-my-2019hacklu-keynote-talk.html">link</a>] presentations I did, then, I saved and renamed the binary into "fbot-arm" for the further analysis purpose. 

<p>The memory maps is a good guidance for this matter, the rest of memory and user space are clean, note: you have to be very careful to not freezing the kernel or stopping the malware during the process. I was lucky to install tools needed for hot forensics before the infection occurred.
<br>
<a href=https://lh3.googleusercontent.com/2jHtBHIwY3TVFj8Nh9j09huP_Z9h2hUcUesSPrJo0eDPsENKuYdR8WQD4CGCSt4MwPokUaBwDAtLetX2PvGyKHiwQEHuTM8OLDrgBfUuDZJaWGYz-p3xO204pa3d4b3UK7fVoV8w-u0=w918-h207-no><img src="https://lh3.googleusercontent.com/2jHtBHIwY3TVFj8Nh9j09huP_Z9h2hUcUesSPrJo0eDPsENKuYdR8WQD4CGCSt4MwPokUaBwDAtLetX2PvGyKHiwQEHuTM8OLDrgBfUuDZJaWGYz-p3xO204pa3d4b3UK7fVoV8w-u0=w400-h207-no"></a>

<p>
<h2>The binary analysis</h2>

<p>The dumped ARM binary can be seen in radare2 like this detail, which it looks a plain stripped ARM may came up as result from cross compilation.
<br>
<a href=https://lh3.googleusercontent.com/xEEAvbd5LVmqE7uP0FaM9WGGdBlTXygn5HqA3Rug8vQDCKHostbi7vHjJgT2YX5ZhCFZdakfXxpZaidd67p6JAIZXQbQoMdNQnsAOs3Z8VSIc7PKbVD2AGyUCL6NCU7oV-QBR2ffv9w=w1383-h644-no><img src="https://lh3.googleusercontent.com/xEEAvbd5LVmqE7uP0FaM9WGGdBlTXygn5HqA3Rug8vQDCKHostbi7vHjJgT2YX5ZhCFZdakfXxpZaidd67p6JAIZXQbQoMdNQnsAOs3Z8VSIc7PKbVD2AGyUCL6NCU7oV-QBR2ffv9w=w580-h644-no"></a>

<p>The binary headers, entry points and sections don't show any strange things going on too, I think we can deal with the binary contents right away..
<br>
<a href=https://lh3.googleusercontent.com/Y0__rQez9PPpigit43Rgeypi6sMG9wx86Bue-d2vjbxW42jzIJtSCw_agNTiqslnyTKP6SSvMjhh9hBpSg-fHDPckrKtZJVcJJApseTWhfVETo55CdlVklkxmGCKpEcYciRto1A1N-0=w990-h739-no><img src="https://lh3.googleusercontent.com/Y0__rQez9PPpigit43Rgeypi6sMG9wx86Bue-d2vjbxW42jzIJtSCw_agNTiqslnyTKP6SSvMjhh9hBpSg-fHDPckrKtZJVcJJApseTWhfVETo55CdlVklkxmGCKpEcYciRto1A1N-0=w500-h739-no"></a>

<p>
<h2>The new encryption and the decryption</h2>

<p>When seeing Fbot binary's strings, I found it very interesting to see that there's a "Satori botnet's signature", that was used for scanning vulnerable telnet by Satori botnets, that string is also written hard-coded in this FBOT binary:
<br>
<a href="https://lh3.googleusercontent.com/_t_xjtYZ8gFO4VeH0au8oIF0bhfP5ffW_trIunj2ea5oTAHi0weAMBkwpADcnkS-RXj4VRYwjLJ1TBkFF7ojsoJiPXecwescE-A61eY_BZAox3Wq54AG9ibktCFnkBJQc5Msezl0Zl0=w883-h553-no"><img src="https://lh3.googleusercontent.com/_t_xjtYZ8gFO4VeH0au8oIF0bhfP5ffW_trIunj2ea5oTAHi0weAMBkwpADcnkS-RXj4VRYwjLJ1TBkFF7ojsoJiPXecwescE-A61eY_BZAox3Wq54AG9ibktCFnkBJQc5Msezl0Zl0=w500-h553-no"></a>
<p>
The same string is also detected during the infection log too. this coincidence(?) is really a "Deja Vu" to logs seen in the Mirai Satori infection era within 2017-2018. But let's focus to the encryption strings instead.

<p>There are two groups of encrypted configuration data (Mirai usually uses encrypted configuration data before being self-decrypted during the related execution process), but one of group of data looks like encrypted in a new different logic.

<p>The first group of the data (the orange colored one) is in a form of encryption pattern that is not commonly found in Mirai binaries before, which is the point of this post actually. And the blue-colored one is the data configuration that have been encrypted in pattern that is being used in <b>table.c:table_init()</b> of bot client, to then unlocking them for the further usage in malicious process like telnet scanning (<b>scanner_init</b>), or the other functions in Mirai operation. The blue color part's encryption method is a known one, we can later see its decrypted values too.
<br>
<a href=https://lh3.googleusercontent.com/haQ2z7YNnCnVnq4TM9xJMFpiWCRF48D4S5BXHoEr6DVRI4DFt0Md3vmIyzE7A7OGehobYLauzvijc04oM5XApJvJuneUq4ItqFeJRB-3xL1tP-fu_O4_r0oXLYu0uKZjqaFFqD19vT8=w1321-h915-no><img src="https://lh3.googleusercontent.com/haQ2z7YNnCnVnq4TM9xJMFpiWCRF48D4S5BXHoEr6DVRI4DFt0Md3vmIyzE7A7OGehobYLauzvijc04oM5XApJvJuneUq4ItqFeJRB-3xL1tP-fu_O4_r0oXLYu0uKZjqaFFqD19vT8=w580-h915-no"></a>

<p>The first configuration (encrypted) data will be firstly loaded by <b>table.c:add_entry()</b> variant function of MIrai, but during the further process it is processed using a new different decryption. Summarizing this method in a simpler words: that different decryption is a shuffle of alphabetical character set, based on a XOR'ed key that permutes its position. 

<p>Let's access the <b>.rodata</b> section in address  0xf454 where the first group data-set is located. When you get there, after checking the caller reference, it will lead you to a function at 0x9848 that's using those crypted values, see below:
<br>
<a href=https://lh3.googleusercontent.com/3uTe6mEL9EXX6cI0sfmZHs6OLBaTVIjSpXzTBELNMNGSTRBONeeSUL5SJdg9TF8mt6YGa3NaM3zZwwTxeak1kJpB_Em4MHlCPIyT_6ONuRyTrPIbWsv3mi64lYR_1vgRQKyAITa3768=w1463-h784-no><img src="https://lh3.googleusercontent.com/3uTe6mEL9EXX6cI0sfmZHs6OLBaTVIjSpXzTBELNMNGSTRBONeeSUL5SJdg9TF8mt6YGa3NaM3zZwwTxeak1kJpB_Em4MHlCPIyT_6ONuRyTrPIbWsv3mi64lYR_1vgRQKyAITa3768=w580-h784-no"></a>

<p>If you go to the top of the function and see (address 0x984c and 0x9858) how two string-sets are loaded from addresses 0x10020 and 0x10062 to be passed into a function in 0x975C with their length of 0x42 as secondary argument. 
<br>
<a href=https://lh3.googleusercontent.com/eHvM3ZUdmHKmMRk79PBhnheadwSnlwAEz8HPdnf4YMZifPTobHZMiXKXxAiXJ9JNNxEURFBGiAx3gUzjCwtn8uGaMhJz1in_6bF355FQAus_gx1YhEJpvCLSjJ_zxEbdJWJQlaEsAlA=w1412-h550-no><img src="https://lh3.googleusercontent.com/eHvM3ZUdmHKmMRk79PBhnheadwSnlwAEz8HPdnf4YMZifPTobHZMiXKXxAiXJ9JNNxEURFBGiAx3gUzjCwtn8uGaMhJz1in_6bF355FQAus_gx1YhEJpvCLSjJ_zxEbdJWJQlaEsAlA=w580-h550-no"></a>
<p>The two set loaded string-sets are saved in the ARM binary in this location:
<br>
<a href=https://lh3.googleusercontent.com/aaVjqfpQBpEdGcvh27lr-YsjYwGE12Z39XSXFiBWx86QIW6z-OOfs2KOFU8Gu8ldn-0gqEC-UG8-GTu5P2KNU5_CjhOpTNqcYWEY92GFleT0ooMtap0sQpNpr9mlXJRjxL4aC2vZrAM=w879-h408-no><img src="https://lh3.googleusercontent.com/aaVjqfpQBpEdGcvh27lr-YsjYwGE12Z39XSXFiBWx86QIW6z-OOfs2KOFU8Gu8ldn-0gqEC-UG8-GTu5P2KNU5_CjhOpTNqcYWEY92GFleT0ooMtap0sQpNpr9mlXJRjxL4aC2vZrAM=w444-h408-no"></a>

<p>There is a XOR key with value 0x59 applied to obfuscate the strings that was previously mentioned..
<br>
<a href=https://lh3.googleusercontent.com/_NfefghsWERCx5klMDqQHfjJJRkk1t-mPsB5cXfp10uXh2QI8QYhwBm4jxHppGobnrm2c3u5Ox1HbOaL0-7usDIiIho9Ia3CuHIIJjmhMUcbZD2a0dL_Uj6DYDmQUoJf8xxuYABLpwc=w1038-h870-no><img src="https://lh3.googleusercontent.com/_NfefghsWERCx5klMDqQHfjJJRkk1t-mPsB5cXfp10uXh2QI8QYhwBm4jxHppGobnrm2c3u5Ox1HbOaL0-7usDIiIho9Ia3CuHIIJjmhMUcbZD2a0dL_Uj6DYDmQUoJf8xxuYABLpwc=w444-h870-no"></a>
<br>

<p>Back to the function in 0x9848, the rest of the encrypted configuration data (the rest of "orange" ones) is parsed into function in 0x9780.
<br>
<a href=https://lh3.googleusercontent.com/SBO93ooXwnbjy0O-23CWfVCUOMTnhCqziBI0jxNx1BuTq3AXK1v0sBXp3ypzsrmJzr8vfxxTxiTE55fovV60ThAQiZqBw4vxqUNVhfZc-wc1iJCJB-rZ6ZAZLYENAkCE0RRIzOYp5iU=w843-h653-no><img src="https://lh3.googleusercontent.com/SBO93ooXwnbjy0O-23CWfVCUOMTnhCqziBI0jxNx1BuTq3AXK1v0sBXp3ypzsrmJzr8vfxxTxiTE55fovV60ThAQiZqBw4vxqUNVhfZc-wc1iJCJB-rZ6ZAZLYENAkCE0RRIzOYp5iU=w444-h653-no"></a>
<br>

<p>Function 0x9780 seems to be a modification of a <b>table.c:add_entry()</b> function in the original Mirai code (or similar variants), the modified (or additional) part is a decoder logic of the parsed data. The parsed data will be translated against the character map formed after XOR'ed that is stored in the memory, to have its desired result.

<p>I hope the below loop graph is good enough to explain how the decoder works statically (I have adjusted everything to fit into one image file).
<br>
<a href=https://lh3.googleusercontent.com/HOdQo_45EBkMrYhYyaLSofy2TFyndpTFQGFGg7LO47jQAfZJ0kN7xTm7NRTWLUxvnnM7u3atgnIb72bKpOIX-UcNaIRMfVmehblIjUW7i_J9ClEtOrJFrZwv2dgb_P-br9n8UrGpD9o=w1261-h702-no><img src="https://lh3.googleusercontent.com/HOdQo_45EBkMrYhYyaLSofy2TFyndpTFQGFGg7LO47jQAfZJ0kN7xTm7NRTWLUxvnnM7u3atgnIb72bKpOIX-UcNaIRMfVmehblIjUW7i_J9ClEtOrJFrZwv2dgb_P-br9n8UrGpD9o=w580-h702-no"></a>

<p>I think it would be better for you to see this first modified encryption config data process in the way it is called from the Mirai's table_init() function reversed as per below:
<br>
<a href=https://lh3.googleusercontent.com/Vwb8N-nP6bPqt5M-ynwffnIEG3P9kg40cPNctuWkPQ1JiYNW94BnOxNL5TQqERubiSMQT7A8kNfgS_z_2oVHP9V6-BMU9MbTyiaiGng__3LJjYgPHw-4R_2_NA2139oWGVPyDY-iSoI=w849-h686-no><img src="https://lh3.googleusercontent.com/Vwb8N-nP6bPqt5M-ynwffnIEG3P9kg40cPNctuWkPQ1JiYNW94BnOxNL5TQqERubiSMQT7A8kNfgS_z_2oVHP9V6-BMU9MbTyiaiGng__3LJjYgPHw-4R_2_NA2139oWGVPyDY-iSoI=w400-h686-no"></a>
<br>
This should be close enough to what adversary has coded.

<p>Dynamically, the character mapping process used to translate the encrypted strings can also be simulated in radare2 during on-memory analysis (it will be in the <b>heap memory area</b> somewhere if you want to confirm it) as per below result:
<br>
<a href=https://lh3.googleusercontent.com/g8U5Nu62AnFgyBDiLx3fBG-w7na4tEGjXFOsM1DFlgRQwlTgIDApkeFxt_z3VlIiQP-2q3k1x_590Dia0-jnWwXGazLtu4lEGHwsJPK6KmnVsUNERrJ29En-scO9hxPLo1UJB1TYVK0=w909-h346-no><img src="https://lh3.googleusercontent.com/g8U5Nu62AnFgyBDiLx3fBG-w7na4tEGjXFOsM1DFlgRQwlTgIDApkeFxt_z3VlIiQP-2q3k1x_590Dia0-jnWwXGazLtu4lEGHwsJPK6KmnVsUNERrJ29En-scO9hxPLo1UJB1TYVK0=w444-h346-no"></a>

<p>So, additionally, static or dynamic reversing can produce same result. I always prefer the static one since I don't have to run any malware code just to crack its configuration.

<p>The encoder table, in text! (enjoy!)
<pre class="brush: js">
// The decoder is at [0x00009780] , translated crypt into charmap below:
MLSDFQWYXNCZRPOKGIUTABVHEJtfqomaechlynudwvjrxigkzsbp7890254163=@^$
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./ -
</pre>

<p>I announced it yesterday in twitter [<a href="https://twitter.com/malwaremustd1e/status/1217108607264669696">link</a>], below is the decryption result:
<br>
<a href=https://lh3.googleusercontent.com/icLlDFRxITLbNKvSJSBXgsBgGs8tw97raT2qB1pn9BPKX-dWFoi1P_Xs8GjhWwS4d__VbqbxE7Hh3IfqZYXLfaNdbD_higz5XzO30o7E2Yluk41FDKxX2iPy5dUN4IujW8lS8Vy9xS4=w1283-h930-no><img src="https://lh3.googleusercontent.com/icLlDFRxITLbNKvSJSBXgsBgGs8tw97raT2qB1pn9BPKX-dWFoi1P_Xs8GjhWwS4d__VbqbxE7Hh3IfqZYXLfaNdbD_higz5XzO30o7E2Yluk41FDKxX2iPy5dUN4IujW8lS8Vy9xS4=w580-h930-no"></a>
<br>

<p>Since Mirai is coded in a way to make reverse engineering difficult, what you reverse in its binary's code-flow is not what has actually had been coded in C, please noted this, in example, In Mirai, the usage of <b>global variables</b> and the <b>global structs</b>, the <b>#define or #ifdef directives </b>used, the method to <b>unlock encryption process-used-variable values and then lock them all back</b> afterwards, and many other tricks used and designed for the sake of obstruction the reverse engineering. There is no shame in not reversing the overall codes into original ones, especially what you get is embeded-platform system's binary like ARM or MIPS or SH with way simpler assembly code. Reversers know this. Don't let this discourage you for not be proactive in reversing, but keep learning from it and learning it more.

<p>Back to our binary, the timing on when the first and second encrypted configuration were decrypted during malware execution process is different too. This is is the rough C flow of what this ARM binary process looks like during being executed, it's enough to explain my point, which is, the timing when the first configuration was executed is when the process of infection is happening, and the second configuration is used for the spreading/scanning purpose, which will be used afterward. 
<br>
<a href=https://lh3.googleusercontent.com/_GN-EDv9fR_YJ52J48jKqDKOKEFjTyoOzpqepIBQS2LZSpikJHYTyCPcP5fdXU1GFxhCh3K5cdcAtqeZikx2G6eYiC77NqpvRjar3LgkvhHpOYdAzyoc9E0m1ItA3m88vaq0zmcap9c=w999-h882-no><img src="https://lh3.googleusercontent.com/_GN-EDv9fR_YJ52J48jKqDKOKEFjTyoOzpqepIBQS2LZSpikJHYTyCPcP5fdXU1GFxhCh3K5cdcAtqeZikx2G6eYiC77NqpvRjar3LgkvhHpOYdAzyoc9E0m1ItA3m88vaq0zmcap9c=w500-h882-no"></a><br>
(Warning! The function's namings above are self-made naming for my reversing purpose and not the actual ones, I don't have ESP power to read the mind of the coder by reading his stripped binary, so please bear with differences etc..)

<p>The static code above can be easily filled with its argument values with two ways, following the registers or after you see how the malicious binary can be simulated its system calls, below is the snip code of what I did (the latter method) to show how this binary was executed as per flow above to reveal its values:
<br>
<a href=https://lh3.googleusercontent.com/Fe3k8p3FrU1iq5iEt0oFXI2gaa1ohras6iI1bRVP1gAQqRDQnRrMxKn7qXC8ZYqua8vtrHrzUG8Ffq6YGPBvU6JK8d0Pao--cWiINe71Qmp8RPEjihLY9z0rkpQTC9nnewH3cceQz1g=w1281-h391-no><img src="https://lh3.googleusercontent.com/Fe3k8p3FrU1iq5iEt0oFXI2gaa1ohras6iI1bRVP1gAQqRDQnRrMxKn7qXC8ZYqua8vtrHrzUG8Ffq6YGPBvU6JK8d0Pao--cWiINe71Qmp8RPEjihLY9z0rkpQTC9nnewH3cceQz1g=w580-h391-no"></a>
<br>
Now we know for sure why I didn't get the file because it was self-deleted after running at the first time.

<p>
<h2>No. We are not done yet.. </h2>

<p>As you can see in the decrypted strings, it has mentioned "pizza dongs helper". And the C2 for this Mirai variant has been obviously shown during infection stage (the data is saved in the configuration part that can be achieved by <b>table.c</b> at <b>"init"</b> process), it is on IP <b>5(.)206(.)227(.)65</b>, if you do OSINT and seeking passive DNS data of the IP address, you will see some similar hostnames and domains to the wording used in the decryption data. 

<p>Below is the example of hostnames & domains linked to the C2 IP from a passive database:
<br>
<a href=https://lh3.googleusercontent.com/wRnS1C7oVkbHtdItee9zmHqSf7hvEW5cg5YzLuU9_nO-VOVCO8CsLeOEYxNUS2KgHOHHRL4gw2Zrd8QWwcnG0IdBHketKxFgD3myOk44pyPWF8lnleIe5WQ6q-WgeQIJh9uZy9DMkqc=w882-h252-no><img src="https://lh3.googleusercontent.com/wRnS1C7oVkbHtdItee9zmHqSf7hvEW5cg5YzLuU9_nO-VOVCO8CsLeOEYxNUS2KgHOHHRL4gw2Zrd8QWwcnG0IdBHketKxFgD3myOk44pyPWF8lnleIe5WQ6q-WgeQIJh9uZy9DMkqc=w350-h252-no"></a>
<br>

<p>It's same domain that also has been registered in multiple IP around the globe:
<br>
<a href=https://lh3.googleusercontent.com/2ThM1eiiZKnbEbRhsApB8_gUtZMz1umOmHlhX8RDi0O9b7dEN_JHMYgN6ps0F7zD9O9BUX4eaPvJlY_bB9qNhjXw4gxPBGOpXqvkTZHc6MbwsNtVGtFsqkqG_kY6Qw12hglfoCeLU90=w1367-h167-no><img src="https://lh3.googleusercontent.com/2ThM1eiiZKnbEbRhsApB8_gUtZMz1umOmHlhX8RDi0O9b7dEN_JHMYgN6ps0F7zD9O9BUX4eaPvJlY_bB9qNhjXw4gxPBGOpXqvkTZHc6MbwsNtVGtFsqkqG_kY6Qw12hglfoCeLU90=w580-h167-no"></a>

<p>We keep on monitoring the spreader movement of this malware, these are several pickups of IoT devices log that is actively seeking for other vulnerable ARM devices. I sorted out in timeline base. I hope the carriers that's having vulnerable devices on the list can pay attention to address this issue.
<br>
<a href="https://lh3.googleusercontent.com/xBWDmEfUV7pgjPbHxgqdYwDP_Z-DJzwPqor-TAPM55kqbgRcS-dZExVdah_9NG_UYHzSTTvj3kRb1GcflbNHwhsHzKJ2grBs7RXv0rbfdWRfe06HSWxvCauUGa6F_iLvDYdeHtRfQEQ=w1297-h470-no"><img src="https://lh3.googleusercontent.com/xBWDmEfUV7pgjPbHxgqdYwDP_Z-DJzwPqor-TAPM55kqbgRcS-dZExVdah_9NG_UYHzSTTvj3kRb1GcflbNHwhsHzKJ2grBs7RXv0rbfdWRfe06HSWxvCauUGa6F_iLvDYdeHtRfQEQ=w580-h470-no">
</a><br>

<p>The IOC and STIX2 of this threat is in the posting process to usual portals.

<p>Lastly, as additional, the alleged botnet coder/owner has just sent his compliment, which is rare, so I attached in this blog too:
<br>
<a href=https://lh3.googleusercontent.com/r3KaPuBCyv8fdl195VmLCqQ9abLyoIxkEnPhZlIL7dbu2mmCepI_BxnfHLuXKvSzffVhDbvszEVK1XGarsrCEmwcMcLgHokh6hMSVDTejpr9Ix36UCN5Gfu7_1f7ebcA5yr7ofzAo88=w835-h700-no><img src="https://lh3.googleusercontent.com/r3KaPuBCyv8fdl195VmLCqQ9abLyoIxkEnPhZlIL7dbu2mmCepI_BxnfHLuXKvSzffVhDbvszEVK1XGarsrCEmwcMcLgHokh6hMSVDTejpr9Ix36UCN5Gfu7_1f7ebcA5yr7ofzAo88=w400-h700-no"></a>
<br>

<p>
<h2>Epilogue</h2>

<p>This post is dedicated to wonderful people who fight tirelessly against IoT threat that keep on aiming our devices until now, and also to people who try very hard to push new policy to have us defend better for the threat. I hope this post helps you.

<p>Thank you very much to r2ghidra, r2dec, r2 folks, tsurugi linux folks, MMD mates and friends, and all I can not mention in here, for supporting our effort in analyzing Linux malicious code all the time. 

<p>[Edit] Thu Jan 23 2020, thank you Security Affairs for the <a href="https://securityaffairs.co/wordpress/96683/cyber-crime/linux-fbot-malware-analysis.html">historical background and insights</a> of Mirai and Fbot.

<p><i>This technical analysis and its contents is an original work and firstly published in the current MalwareMustDie Blog post (this site), the analysis and writing is made by <b>@unixfreaxjp</b>. 

<p>The research contents is bound to our legal <a href="https://blog.malwaremustdie.org/p/the-rule-to-share-malicious-codes-we.html">disclaimer guide line</a> in sharing of MalwareMustDie NPO research material</i>.<p>
<img src="https://lh3.googleusercontent.com/dsk-63KxE8vQ-QD1caFyx6MrmGL2Xdiwo7DZjphwXBMrKTeYz6Zbb4NyoeFtSJdfrvlOSsnScpEP2V75H5r8AViyUGee-WOuoLnx0k9uH_A80bxzezs0AqiPZI0XaGh6Dvxg7iiVDrI=w400-h566-no">

<p>Malware Must Die!
<div style='clear: both;'></div>
</div>
<div class='post-footer'>
<div class='post-footer-line post-footer-line-1'><span class='post-author vcard'>
Posted by
<span class='fn'>unixfreaxjp</span>
</span>
<span class='post-timestamp'>
at
<a class='timestamp-link' href='https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html' itemprop='url' rel='bookmark' title='permanent link'><abbr class='published' itemprop='datePublished' title='2020-01-15T21:48:00+09:00'>Wednesday, January 15, 2020</abbr></a>
</span>
<span class='post-comment-link'>
</span>
<span class='post-icons'>
<span class='item-control blog-admin pid-1814417508'>
<a href='https://www.blogger.com/post-edit.g?blogID=8268358095554400245&postID=8300877980843573006&from=pencil' title='Edit Post'>
<img alt='' class='icon-action' height='18' src='https://resources.blogblog.com/img/icon18_edit_allbkg.gif' width='18'/>
</a>
</span>
</span>
<div class='post-share-buttons goog-inline-block'>
<a class='goog-inline-block share-button sb-email' href='https://www.blogger.com/share-post.g?blogID=8268358095554400245&postID=8300877980843573006&target=email' target='_blank' title='Email This'><span class='share-button-link-text'>Email This</span></a><a class='goog-inline-block share-button sb-blog' href='https://www.blogger.com/share-post.g?blogID=8268358095554400245&postID=8300877980843573006&target=blog' onclick='window.open(this.href, "_blank", "height=270,width=475"); return false;' target='_blank' title='BlogThis!'><span class='share-button-link-text'>BlogThis!</span></a><a class='goog-inline-block share-button sb-twitter' href='https://www.blogger.com/share-post.g?blogID=8268358095554400245&postID=8300877980843573006&target=twitter' target='_blank' title='Share to Twitter'><span class='share-button-link-text'>Share to Twitter</span></a><a class='goog-inline-block share-button sb-facebook' href='https://www.blogger.com/share-post.g?blogID=8268358095554400245&postID=8300877980843573006&target=facebook' onclick='window.open(this.href, "_blank", "height=430,width=640"); return false;' target='_blank' title='Share to Facebook'><span class='share-button-link-text'>Share to Facebook</span></a><a class='goog-inline-block share-button sb-pinterest' href='https://www.blogger.com/share-post.g?blogID=8268358095554400245&postID=8300877980843573006&target=pinterest' target='_blank' title='Share to Pinterest'><span class='share-button-link-text'>Share to Pinterest</span></a>
</div>
</div>
<div class='post-footer-line post-footer-line-2'><span class='post-labels'>
</span>
</div>
<div class='post-footer-line post-footer-line-3'><span class='post-location'>
</span>
</div>
</div>
</div>
<div class='comments' id='comments'>
<a name='comments'></a>
</div>
</div>

        </div></div>
      
</div>
<div class='blog-pager' id='blog-pager'>
<span id='blog-pager-newer-link'>
<a class='blog-pager-newer-link' href='https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html' id='Blog1_blog-pager-newer-link' title='Newer Post'>Newer Post</a>
</span>
<span id='blog-pager-older-link'>
<a class='blog-pager-older-link' href='https://blog.malwaremustdie.org/2019/10/more-about-my-2019hacklu-keynote-talk.html' id='Blog1_blog-pager-older-link' title='Older Post'>Older Post</a>
</span>
<a class='home-link' href='https://blog.malwaremustdie.org/'>Home</a>
</div>
<div class='clear'></div>
<div class='post-feeds'>
</div>
</div></div>
</div>
</div>
<div class='column-left-outer'>
<div class='column-left-inner'>
<aside>
</aside>
</div>
</div>
<div class='column-right-outer'>
<div class='column-right-inner'>
<aside>
<div class='sidebar section' id='sidebar-right-1'><div class='widget HTML' data-version='1' id='HTML1'>
<h2 class='title'>About #MalwareMustDie!</h2>
<div class='widget-content'>
Launched in August 2012, MalwareMustDie(or MMD), is a registered <span style="font-weight:bold;">Non-profit Whitehat Organization</span>, as a Blue-Teaming media  to form work-flow activities to reduce malware in the internet <a href="https://en.wikipedia.org/wiki/MalwareMustDie">..[Read More]</a>
</div>
<div class='clear'></div>
</div><div class='widget BlogSearch' data-version='1' id='BlogSearch1'>
<h2 class='title'>Search keyword</h2>
<div class='widget-content'>
<div id='BlogSearch1_form'>
<form action='https://blog.malwaremustdie.org/search' class='gsc-search-box' target='_top'>
<table cellpadding='0' cellspacing='0' class='gsc-search-box'>
<tbody>
<tr>
<td class='gsc-input'>
<input autocomplete='off' class='gsc-input' name='q' size='10' title='search' type='text' value=''/>
</td>
<td class='gsc-search-button'>
<input class='gsc-search-button' title='search' type='submit' value='Search'/>
</td>
</tr>
</tbody>
</table>
</form>
</div>
</div>
<div class='clear'></div>
</div><div class='widget LinkList' data-version='1' id='LinkList1'>
<h2>Links</h2>
<div class='widget-content'>
<ul>
<li><a href='https://blog.malwaremustdie.org/feeds/posts/default?alt=rss'>RSS Feed</a></li>
<li><a href='https://www.malwaremustdie.org/'>Home Page</a></li>
<li><a href='https://blog.malwaremustdie.org/p/send-sample.html'>Send Sample</a></li>
<li><a href='https://www.google.com/search?q=malwaremustdie&tbm=nws&start=0'>News Search</a></li>
<li><a href='https://www.google.com/search?q=malwaremustdie&newwindow=1&client=firefox-b&biw=928&bih=462&source=lnt&tbs=cdr%3A1%2Ccd_min%3A7%2F1%2F2012%2Ccd_max%3A6%2F10%2F2016&tbm=#q=malwaremustdie&newwindow=1&tbs=cdr:1,cd_min:7/1/2012,cd_max:6/10/2016,sbd:1&start=10'>Web Search</a></li>
<li><a href='https://blog.malwaremustdie.org/p/linux-malware-research-list-updated.html'>Linux Malware</a></li>
<li><a href='https://unixfreaxjp.github.io/malwaremustdie/'>Github Repository</a></li>
<li><a href='https://www.youtube.com/playlist?list=PLSe6fLFf1YDX-2sog70220BchQmhVqQ75'>Video News, Demo, Reports</a></li>
<li><a href='https://malwared.malwaremustdie.org/'>"Malwared" Blacklist/Tracker</a></li>
<li><a href='https://blog.malwaremustdie.org/p/the-mmds-tango-down-project-archive.html'>"Tango down!" project (Archive)</a></li>
<li><a href='https://blog.malwaremustdie.org/p/the-rule-to-share-malicious-codes-we.html'>Disclaimer & Sharing Guide</a></li>
</ul>
<div class='clear'></div>
</div>
</div><div class='widget FeaturedPost' data-version='1' id='FeaturedPost1'>
<h2 class='title'>Recommended reading</h2>
<div class='post-summary'>
<h3><a href='https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html'>MMD-0065-2020 - Linux/Mirai-Fbot&#39;s new encryption explained</a></h3>
<p>
 Prologue   [For the most recent information of this threat please follow this ==&gt; link ]   I setup a local brand new ARM base router I b...
</p>
<img class='image' src='https://lh3.googleusercontent.com/58YEFVF-KZsSkmn8kvB8Tgth6VmcLHujsJCXpyic5GrXNHLR9TYqkJpymvzGv2tpMNlN6vdIojrhzoRkYwRg5PLuj7Yj03fdPac-CJUEVSyFeBd1TX52UpHabUOkuaRiBjgiqTrqiW8=w300-h1864-no'/>
</div>
<style type='text/css'>
    .image {
      width: 100%;
    }
  </style>
<div class='clear'></div>
</div><div class='widget LinkList' data-version='1' id='LinkList2'>
<h2>Malware Analysis / Threat Reports (Indexed)</h2>
<div class='widget-content'>
<ul>
<li><a href='https://blog.malwaremustdie.org/2021/03/mmd-067-2021-recent-talks-on-linux.html'>MMD-0067-2021 - Recent talks on Linux process injection and shellcode analysis series (ROOTCON-2020, R2CON-2020 ++)</a></li>
<li><a href='https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html'>MMD-0066-2020 - Linux/Mirai-Fbot - A re-emerged IoT threat </a></li>
<li><a href='https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html'>MMD-0065-2020 - Linux/Mirai-Fbot's new encryption explained</a></li>
<li><a href='https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html'>MMD-0064-2019 - Linux/AirDropBot</a></li>
<li><a href='https://blog.malwaremustdie.org/2019/09/mmd-0063-2019-summarize-report-of-three.html'>MMD-0063-2019 - Summary of three years research (Sept 2016-Sept 2019)</a></li>
<li><a href='https://blog.malwaremustdie.org/2017/03/mmd-0062-2017-credential-harvesting-by.html'>MMD-0062-2017 - IoT/Studels SSH-TCP Forward Threat</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/12/mmd-0061-2016-energymech-28-overkill-mod.html'>MMD-0061-2016 - EnergyMech 2.8 overkill mod</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/10/mmd-0060-2016-linuxudpfker-and-chinaz.html'>MMD-0060-2016 - Linux/UDPfker and ChinaZ threat today</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/10/mmd-0059-2016-linuxirctelnet-new-ddos.html'>MMD-0059-2016 - Linux/IRCTelnet (new Aidra)</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/10/mmd-0058-2016-elf-linuxnyadrop.html'>MMD-0058-2016 - Linux/NyaDrop - MIPS IoT bad news</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html'>MMD-0057-2016 - Linux/LuaBot - IoT botnet as service</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html'>MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html'>MMD-0055-2016 - Linux/PnScan ; A worm that still circles around</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/06/mmd-0054-2016-atmos-botnet-and-facts.html'>MMD-0054-2016 - ATMOS botnet facts you should know</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/04/mmd-0053-2016-bit-about-elfstd-irc-bot.html'>MMD-0053-2016 - Linux/STD IRC Botnet: x00's CBack aka xxx.pokemon.inc</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/02/mmd-0052-2016-skidddos-elf-distribution.html'>MMD-0052-2016 - Overview of Overall "SkidDDoS" Linux Botnet</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/02/mmd-0051-2016-debungking-tiny-elf.html'>MMD-0051-2016 - Debunking a Tiny Shellhock's ELF backdoor</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html'>MMD-0050-2016 - Linux/Torte infection (in Wordpress)</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html'>MMD-0049-2016 - Java Trojan Downloader/RCE) for minerd</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html'>MMD-0048-2016 - DDOS.TF = ELF & Win32 DDoS service with ASP + PHP/MySQL MOF webshells</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/12/mmd-0047-2015-sshv-ssh-bruter-elf.html'>MMD-0047-2015 - SSHV: SSH bruter Linux botnet w/hidden process rootkit</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/12/mmd-0046-2015-kelihos-cnc-activity-on.html'>MMD-0046-2015 - Kelihos 10 nodes C2 / CNC on NJIIX (US) and its actor(Severa)</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/12/mmd-0045-2015-kdefend-new-elf-threat.html'>MMD-0045-2015 - Linux/KDefend: a new China origin Linux threat w/disclaimer</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html'>MMD-0044-2015 - Code disclosure of SkiDDoS threat</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/09/mmd-0042-2015-polymorphic-in-elf.html'>MMD-0043-2015 - Linux/Xor.DDOS Polymorphic feature</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/09/mmd-0042-2015-hunting-mr-black-ids-via.html'>MMD-0042-2015 - Geting to Linux/Mr.Black actor via Zegost </a></li>
<li><a href='https://blog.malwaremustdie.org/2015/09/mmd-0041-2015-reversing-pe-mail-grabber.html'>MMD-0041-2015 - PE Mail-grabber Spambot & its C99 WebShell</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/08/mmd-0039-2015-learning-about-vbe.html'>MMD-0040-2015 - VBE Obfuscation & AutoIt Banco Trojan</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/08/mmd-0039-2015-chinaz-made-new-malware.html'>MMD-0039-2015 - ChinaZ  Linux/BillGates.Lite Edition</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/08/mmd-0037-2015-chinaz-and-ddos123xyz.html'>MMD-0038-2015 - ChinaZ's Ddos123.xyz</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/07/mmd-0037-2015-bad-shellshock.html'>MMD-0037-2015 - Shellshock & Linux/XOR.DDoS C2</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/07/mmd-0036-2015-kins-or-zeusvm-v2000.html'>MMD-0036-2015 - KINS (ZeusVM)v2.0.0. builder & panel leaks</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/06/mmd-0035-2015-iptablex-or-iptables-on.html'>MMD-0035-2015 - Linux/.IptabLex or .IptabLes on Shellshock(by: ChinaZ)</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html'>MMD-0034-2015 - Linux/DES.Downloader on Elasticsearch</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/06/mmd-0033-2015-linuxxorddos-infection_23.html'>MMD-0033-2015 - Linux/XorDDoS case CNC:HOSTASA.ORG</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/06/the-elf-chinaz-reloaded.html'>MMD-0032-2015 - The ELF ChinaZ "reloaded"</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/04/mmd-0031-2015-what-is-netwire-rat.html'>MMD-0031-2015 - What is NetWire (multi platform) RAT</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/01/mmd-0030-2015-new-elf-malware-on.html'>MMD-0030-2015 - New malware on Shellshock: Linux/ChinaZ</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/10/mmd-0029-2015-warning-of-mayhem.html'>MMD-0029-2014 - Warning of Linux/Mayhem attack in Shellshock</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html'>MMD-0028-2014 - Linux/XOR.DDoS</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/09/linux-elf-bash-0day-fun-has-only-just.html'>MMD-0027-2014 - Linux/Bashdoor(GafGyt) & Small ELF Backdoor at shellshock</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/09/reversing-arm-architecture-elf-elknot.html'>MMD-0026-2014 - Linux/AES.DDoS: Router Malware</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/06/mmd-0025-2014-itw-infection-of-elf.html'>MMD-0025-2014 - Linux/.IptabLex or .IptabLes - China/PRC origin DDoS bot</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/06/recent-incident-report-of-linux-elf.html'>MMD-0024-2014 - Incident Report of Linux/Mayhem (LD_PRELOAD libworker.so)</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/05/a-payback-to-ssh-bruting-crooks.html'>MMD-0023-2014 - Linux/pscan & Linux/sshscan: SSH bruter malware</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html'>MMD-0022-2014 - Zendran, multi-arch Linux/Llightaidra - Part 1: background, installation, reversing & C2 access</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html'>MMD-0021-2014 - Linux/Elknot: China's origin ELF DDoS+backdoor</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html'>MMD-0020-2014 - Analysis of Linux/Mayhem infection: A shared libs ELF</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/04/when-hacker-gets-hacked-disclosure.html'>MMD-0019-2014 - "Xakep.biz" evil tools</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/04/upatre-downloading-gmo-is-back-to-ssl.html'>MMD-0018-2014 - Analysis note: "Upatre" is back to SSL? </a></li>
<li><a href='https://blog.malwaremustdie.org/2014/03/a-post-to-sting-zeus-p2pgameover-crooks.html'>MMD-0017-2014 - A post to sting Zeus P2P/Gameover</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/02/cyber-intelligence-jackpos-behind-screen.html'>MMD-0016-2014 - The JackPOS Behind the Screen</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/02/one-upn-time-with-american-express.html'>MMD-0015-2014 - One upon the time with Phishing Session..</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/01/threat-intelligence-new-locker-prison.html'>MMD-0014-2014 - New Locker: Prison Locker (aka: Power Locker)</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/01/shadow-logger-new-fud-keylogger-on-mmd.html'>MMD-0013-2014 - "Shadow Logger" - .NET's FUD Keylogger</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/12/arp-spoofing-malware-infection-project.html'>MMD-0012-2013 - ARP Spoofing Malware</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/12/lets-be-more-serious-about-dns-amp-elf.html'>MMD-0011-2013 - Linux/Elknot - Let's be more serious about (mitigating) DNS Amp</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/11/more-wordpress-hack-case-sites.html'>MMD-0010-2013 - Wordpress Hack Case: Site's Credential Stealer</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/11/runforrestrun-dga-is-alive-at.html'>MMD-0009-2013 - JS/RunForrestRun DGA "Comeback" with new obfuscation</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/10/a-disclosure-of-whats-behind-w00tw00t.html'>MMD-0008-2013 - What's Behind the #w00tw00t (PHP) Attack</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/10/kins-source-code-for-view-download.html'>MMD-0007-2013 - KINS? No! PowerZeuS, yes! </a></li>
<li><a href='https://blog.malwaremustdie.org/2013/09/302-redirector-new-cushion-attempt-to.html'>MMD-0006-2013 - Rogue 302-Redirector "Cushion Attack"</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/09/how-greedy-cyber-scums-are-leaked-plan.html'>MMD-0005-2013 - A Leaked Malvertisement, Cutwail+BHEK & Triple Payloads of "Syria Campaign"</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/08/you-hacked-we-cracked-youre-doomed-ir.html'>MMD-0004-2013 - "You hacked.. we cracked" - "WP Super Cache" & Glazunov EK</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/07/the-come-back-of-ru-runforrestruns-dga.html'>MMD-0003-2013 - First "comeback" of the .RU RunForrestRun's DGA</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/07/how-bad-cutwail-and-other-spambot-can.html'>MMD-0002-2013 - How Cutwail and other SpamBot can fool (spoof) us?</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/07/proof-of-concept-of-cookiebomb-attack.html'>MMD-0001-2013 - Proof of Concept of "CookieBomb" code injection attack</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/06/advisory-on-pleskapache-remote-code.html'>MMD-0000-2013 - Malware Infection Alert on Plesk/Apache Remote Code Execution zeroday</a></li>
</ul>
<div class='clear'></div>
</div>
</div><div class='widget LinkList' data-version='1' id='LinkList3'>
<h2>Presentation and Special Threat Reports</h2>
<div class='widget-content'>
<ul>
<li><a href='https://blog.malwaremustdie.org/2021/03/mmd-067-2021-recent-talks-on-linux.html#rootcon2020'>ROOTCON 2020 - Deeper diving into shellcode (advanced users)</a></li>
<li><a href='https://blog.malwaremustdie.org/2021/03/mmd-067-2021-recent-talks-on-linux.html#r2con2020'>R2CON 2020 - So you don't like shellcode too? (for r2 RE beginners)</a></li>
<li><a href='https://blog.malwaremustdie.org/2019/10/more-about-my-2019hacklu-keynote-talk.html'>HACK.LU 2019 Keynote talk: "Fileless Malware Infection and Linux Process Injection"</a></li>
<li><a href='https://blog.malwaremustdie.org/p/new-video-of-this-talk-has-just-been.html'>R2CON 2018 talk of: "Unpacking the non-unpackable ELF malware"</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/02/long-talk-av-tokyo-20135-kelihos.html'>AVTOKYO 2013.5 - Threats of Kelihos, CookieBomb, RedKit's and its Bad Actor</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/12/short-talk-in-botconf-2013-kelihos.html'>BOTCONF 2013 - Kelihos: Botnet, Takedown, Mule Actor</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/02/cve-2013-0634-this-ladyboyle-is-not.html'>CVE-2013-0634 This "Lady" Boyle is not a nice Lady at all</a></li>
<li><a href='https://blog.0day.jp/p/english-report-of-fhappi-freehosting.html'>APT-10 - FreeHosting APT w/PowerSploit Poison Ivy (FHAPPI) campaign aims Hongkong & Mongolia</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html'>APT-32 - The Vietnam Journalist Spy Campaign </a></li>
<li><a href='https://blog.malwaremustdie.org/2014/08/what-is-bad-stays-bad-legalized-any.html'>Targeted attack of "Operation Torpedo"</a></li>
<li><a href='https://old.reddit.com/r/LinuxMalware/comments/5d0jx4/malwaremustdie_closed_blog_usa_access_as_protest/'>Protest against usage of NSA malware spytool PITCHIMPAIR & INNOVATION on friendly countries</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/11/china-elf-botnet-malware-infection.html'>China/PRC origin Linux botnet's malware infection and its distribution scheme unleashed</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/06/full-disclosure-of-309-botbotnet-source.html'>Full disclosure of 309 Bots/Botnet Source Codes Found via Germany Torrent </a></li>
<li><a href='https://blog.malwaremustdie.org/2013/03/the-evil-came-back-darkleechs-apache.html'>The Evil Came Back: Linux/Darkleech's Apache Malware Module</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/06/ddoser-as-service-camouflation-of-legit.html'>DDoS in a Bruter Service - A camouflage of Stresser/Booter</a></li>
<li><a href='https://blog.malwaremustdie.org/2012/10/how-far-phpc99shell-malware-can-go-from.html'>How EVIL the PHP/C99Shell can be? From SQL Dumper, Hacktools, to Trojan Distributor Future? </a></li>
<li><a href='https://blog.malwaremustdie.org/2014/06/a-journey-to-abused-ftp-sites-story-of.html'>A journey to abused FTP sites (story of: Shells, Malware, Bots, DDoS & Spam) - Part 2</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/05/a-journey-to-ftp-abused-sites-story-of.html'>A journey to abused FTP sites (story of: Shells, Malware, Bots, DDoS & Spam) - Part 1</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/02/how-public-services-like-amazon-aws.html'>Case Study: How legitimate internet services like Amazon AWS, DropBox, Google Project/Code & ShortURL got abused to infect malware</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html'>Just another story of UNIX Trojan Tsunami/Kaiten.c (IRC/Bot) w/ Flooder, Backdoor at a hacked xBSD case</a></li>
<li><a href='https://blog.malwaremustdie.org/p/mon-mar-24-104232-jst-2014.html'>Discontinuation of "Malware Crusader" public forum</a></li>
<li><a href='https://blog.malwaremustdie.org/p/hall-of-shame.html'>Hall of Shame</a></li>
<li><a href='https://blog.malwaremustdie.org/p/malwaremustdie-blog-archive.html'>more..</a></li>
</ul>
<div class='clear'></div>
</div>
</div><div class='widget LinkList' data-version='1' id='LinkList4'>
<h2>Non-indexed (older) Analysis</h2>
<div class='widget-content'>
<ul>
<li><a href='https://blog.malwaremustdie.org/2013/11/a-step-by-step-decoding-guide-for.html'>Decoding Guide for CookieBomb's (as Front-end) Latest Threat, with Evil ESD.PHP Redirection (as the Back-end)</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/07/a-note-of-modification-of-obfuscation.html'>Some Decoding note(s) on modified #CookieBomb attack's obfuscated injection code</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/07/what-is-behind-cookiebomb-attack-by.html'>What is behind #CookieBomb attack? (by @malm0u53)</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/01/and-another-detonating-method-of-new.html'>..And another "detonating" method of CookieBomb 2.0 - Part 2</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/01/and-another-detonating-method-of-todays.html'>..And another "detonating" method of CookieBomb 2.0 - Part 1</a></li>
<li><a href='https://blog.malwaremustdie.org/2012/10/fuzzy-in-manual-cracking-of.html'>New PseudoRandom (JS/runforestrun?xxx=)</a></li>
<li><a href='https://blog.malwaremustdie.org/2012/12/jsrunforrestrun-infector-comeback-full.html'>JS/RunForrestRun Infection ComeBack</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/04/cnc-analysis-of-citadel-trojan-bot.html'>CNC analysis of Citadel Trojan Bot-Agent - Part 2</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/04/wireshark-analysis-of-citadel-trojan.html'>CNC analysis of Citadel Trojan Bot-Agent - Part 1</a></li>
<li><a href='https://blog.malwaremustdie.org/2012/09/cracking-of-strong-encrypted-phpirc-bot.html'>Cracking of Strong Encrypted PHP / IRC Bot (PBOT) </a></li>
<li><a href='https://blog.malwaremustdie.org/p/malwaremustdie-blog-archive.html'>more..</a></li>
</ul>
<div class='clear'></div>
</div>
</div><div class='widget Feed' data-version='1' id='Feed2'>
<h2>
</h2>
<div class='widget-content' id='Feed2_feedItemListDisplay'>
<span style='filter: alpha(25); opacity: 0.25;'>
<a href='https://blog.0day.jp/feeds/posts/default?alt=rss'>Loading...</a>
</span>
</div>
<div class='clear'></div>
</div><div class='widget Subscribe' data-version='1' id='Subscribe1'>
<div style='white-space:nowrap'>
<h2 class='title'>Subscribe To</h2>
<div class='widget-content'>
<div class='subscribe-wrapper subscribe-type-POST'>
<div class='subscribe expanded subscribe-type-POST' id='SW_READER_LIST_Subscribe1POST' style='display:none;'>
<div class='top'>
<span class='inner' onclick='return(_SW_toggleReaderList(event, "Subscribe1POST"));'>
<img class='subscribe-dropdown-arrow' src='https://resources.blogblog.com/img/widgets/arrow_dropdown.gif'/>
<img align='absmiddle' alt='' border='0' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
Posts
</span>
<div class='feed-reader-links'>
<a class='feed-reader-link' href='https://www.netvibes.com/subscribe.php?url=https%3A%2F%2Fblog.malwaremustdie.org%2Ffeeds%2Fposts%2Fdefault' target='_blank'>
<img src='https://resources.blogblog.com/img/widgets/subscribe-netvibes.png'/>
</a>
<a class='feed-reader-link' href='https://add.my.yahoo.com/content?url=https%3A%2F%2Fblog.malwaremustdie.org%2Ffeeds%2Fposts%2Fdefault' target='_blank'>
<img src='https://resources.blogblog.com/img/widgets/subscribe-yahoo.png'/>
</a>
<a class='feed-reader-link' href='https://blog.malwaremustdie.org/feeds/posts/default' target='_blank'>
<img align='absmiddle' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
                  Atom
                </a>
</div>
</div>
<div class='bottom'></div>
</div>
<div class='subscribe' id='SW_READER_LIST_CLOSED_Subscribe1POST' onclick='return(_SW_toggleReaderList(event, "Subscribe1POST"));'>
<div class='top'>
<span class='inner'>
<img class='subscribe-dropdown-arrow' src='https://resources.blogblog.com/img/widgets/arrow_dropdown.gif'/>
<span onclick='return(_SW_toggleReaderList(event, "Subscribe1POST"));'>
<img align='absmiddle' alt='' border='0' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
Posts
</span>
</span>
</div>
<div class='bottom'></div>
</div>
</div>
<div class='subscribe-wrapper subscribe-type-PER_POST'>
<div class='subscribe expanded subscribe-type-PER_POST' id='SW_READER_LIST_Subscribe1PER_POST' style='display:none;'>
<div class='top'>
<span class='inner' onclick='return(_SW_toggleReaderList(event, "Subscribe1PER_POST"));'>
<img class='subscribe-dropdown-arrow' src='https://resources.blogblog.com/img/widgets/arrow_dropdown.gif'/>
<img align='absmiddle' alt='' border='0' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
Comments
</span>
<div class='feed-reader-links'>
<a class='feed-reader-link' href='https://www.netvibes.com/subscribe.php?url=https%3A%2F%2Fblog.malwaremustdie.org%2Ffeeds%2F8300877980843573006%2Fcomments%2Fdefault' target='_blank'>
<img src='https://resources.blogblog.com/img/widgets/subscribe-netvibes.png'/>
</a>
<a class='feed-reader-link' href='https://add.my.yahoo.com/content?url=https%3A%2F%2Fblog.malwaremustdie.org%2Ffeeds%2F8300877980843573006%2Fcomments%2Fdefault' target='_blank'>
<img src='https://resources.blogblog.com/img/widgets/subscribe-yahoo.png'/>
</a>
<a class='feed-reader-link' href='https://blog.malwaremustdie.org/feeds/8300877980843573006/comments/default' target='_blank'>
<img align='absmiddle' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
                  Atom
                </a>
</div>
</div>
<div class='bottom'></div>
</div>
<div class='subscribe' id='SW_READER_LIST_CLOSED_Subscribe1PER_POST' onclick='return(_SW_toggleReaderList(event, "Subscribe1PER_POST"));'>
<div class='top'>
<span class='inner'>
<img class='subscribe-dropdown-arrow' src='https://resources.blogblog.com/img/widgets/arrow_dropdown.gif'/>
<span onclick='return(_SW_toggleReaderList(event, "Subscribe1PER_POST"));'>
<img align='absmiddle' alt='' border='0' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
Comments
</span>
</span>
</div>
<div class='bottom'></div>
</div>
</div>
<div style='clear:both'></div>
</div>
</div>
<div class='clear'></div>
</div><div class='widget HTML' data-version='1' id='HTML4'>
<div class='widget-content'>
<img src="https://lh5.googleusercontent.com/proxy/7a-Sy6taVMPz5qCfJcwarW7nnRlF-fwSjHuPpm4G-slGou22nrtKfHm7RVsFcKWJHqHb9Q_sMZs-ERk=s0-d" width="0" height="0" border="0">
<!--
&#9769;act free from sins,
&#9769;speak the truth,
&#9769;be just,
&#9769;be brave,
&#9769;have faith,
&#9769;help, support, teach the weaks ,
&#9769;non nobis domine sed nomine tuo da gloriam.
-->
</div>
<div class='clear'></div>
</div></div>
</aside>
</div>
</div>
</div>
<div style='clear: both'></div>
<!-- columns -->
</div>
<!-- main -->
</div>
</div>
<div class='main-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<footer>
<div class='footer-outer'>
<div class='footer-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left footer-fauxborder-left'>
<div class='fauxborder-right footer-fauxborder-right'></div>
<div class='region-inner footer-inner'>
<div class='foot no-items section' id='footer-1'></div>
<table border='0' cellpadding='0' cellspacing='0' class='section-columns columns-2'>
<tbody>
<tr>
<td class='first columns-cell'>
<div class='foot no-items section' id='footer-2-1'></div>
</td>
<td class='columns-cell'>
<div class='foot no-items section' id='footer-2-2'></div>
</td>
</tr>
</tbody>
</table>
<!-- outside of the include in order to lock Attribution widget -->
<div class='foot section' id='footer-3'><div class='widget Attribution' data-version='1' id='Attribution1'>
<div class='widget-content' style='text-align: center;'>
(c)MalwareMustDie, 2012-2021. Read LEGAL DISCLAIMER before quoting or copying our contents. Powered by <a href='https://www.blogger.com' target='_blank'>Blogger</a>.
</div>
<div class='clear'></div>
</div></div>
</div>
</div>
<div class='footer-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</footer>
<!-- content -->
</div>
</div>
<div class='content-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</div>
<script type='text/javascript'>
    window.setTimeout(function() {
        document.body.className = document.body.className.replace('loading', '');
      }, 10);
  </script>
<script type='text/javascript'>
      (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
      (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
      m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
      })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
      ga('create', 'UA-180537376-1', 'auto', 'blogger');
      ga('blogger.send', 'pageview');
    </script>
<!--It is your responsibility to notify your visitors about cookies used and data collected on your blog. Blogger makes a standard notification available for you to use on your blog, and you can customise it or replace it with your own notice. See http://www.blogger.com/go/cookiechoices for more details.-->
<script defer='' src='/js/cookienotice.js'></script>
<script>
    document.addEventListener('DOMContentLoaded', function(event) {
      window.cookieChoices && cookieChoices.showCookieConsentBar && cookieChoices.showCookieConsentBar(
          (window.cookieOptions && cookieOptions.msg) || 'This site uses cookies from Google to deliver its services and to analyse traffic. Your IP address and user agent are shared with Google, together with performance and security metrics, to ensure quality of service, generate usage statistics and to detect and address abuse.',
          (window.cookieOptions && cookieOptions.close) || 'Ok',
          (window.cookieOptions && cookieOptions.learn) || 'Learn more',
          (window.cookieOptions && cookieOptions.link) || 'https://www.blogger.com/go/blogspot-cookies');
    });
  </script>

<script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/1434883710-widgets.js"></script>
<script type='text/javascript'>
window['__wavt'] = 'AOuZoY460uGw0e86iYLxeJPIDIh6e4MprQ:1640306045427';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d8268358095554400245','//blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html','8268358095554400245');
_WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '8268358095554400245', 'title': 'Malware Must Die!', 'url': 'https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html', 'canonicalUrl': 'https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html', 'homepageUrl': 'https://blog.malwaremustdie.org/', 'searchUrl': 'https://blog.malwaremustdie.org/search', 'canonicalHomepageUrl': 'https://blog.malwaremustdie.org/', 'blogspotFaviconUrl': 'https://blog.malwaremustdie.org/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': true, 'httpsEnabled': true, 'enabledCommentProfileImages': true, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': 'UA-180537376-1', 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Malware Must Die! - Atom\x22 href\x3d\x22https://blog.malwaremustdie.org/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22Malware Must Die! - RSS\x22 href\x3d\x22https://blog.malwaremustdie.org/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Malware Must Die! - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/8268358095554400245/posts/default\x22 /\x3e\n\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Malware Must Die! - Atom\x22 href\x3d\x22https://blog.malwaremustdie.org/feeds/8300877980843573006/comments/default\x22 /\x3e\n', 'meTag': '', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': false, 'adsenseAutoAds': false, 'ieCssRetrofitLinks': '\x3c!--[if IE]\x3e\x3cscript type\x3d\x22text/javascript\x22 src\x3d\x22https://www.blogger.com/static/v1/jsbin/2287435483-ieretrofit.js\x22\x3e\x3c/script\x3e\n\x3c![endif]--\x3e', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/20752fd4df382411', 'plusOneApiSrc': 'https://apis.google.com/js/plusone.js', 'disableGComments': true, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'Twitter', 'key': 'twitter', 'shareMessage': 'Share to Twitter', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': false, 'jumpLinkMessage': 'Read more', 'pageType': 'item', 'postId': '8300877980843573006', 'postImageThumbnailUrl': 'https://lh3.googleusercontent.com/58YEFVF-KZsSkmn8kvB8Tgth6VmcLHujsJCXpyic5GrXNHLR9TYqkJpymvzGv2tpMNlN6vdIojrhzoRkYwRg5PLuj7Yj03fdPac-CJUEVSyFeBd1TX52UpHabUOkuaRiBjgiqTrqiW8\x3ds72-w300-c-h1864-no', 'postImageUrl': 'https://lh3.googleusercontent.com/58YEFVF-KZsSkmn8kvB8Tgth6VmcLHujsJCXpyic5GrXNHLR9TYqkJpymvzGv2tpMNlN6vdIojrhzoRkYwRg5PLuj7Yj03fdPac-CJUEVSyFeBd1TX52UpHabUOkuaRiBjgiqTrqiW8\x3dw300-h1864-no', 'pageName': 'MMD-0065-2020 - Linux/Mirai-Fbot\x27s new encryption explained', 'pageTitle': 'Malware Must Die!: MMD-0065-2020 - Linux/Mirai-Fbot\x27s new encryption explained', 'metaDescription': ''}}, {'name': 'features', 'data': {'sharing_get_link_dialog': 'true', 'sharing_native': 'false'}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard!', 'ok': 'Ok', 'postLink': 'Post Link'}}, {'name': 'template', 'data': {'name': 'custom', 'localizedName': 'Custom', 'isResponsive': false, 'isAlternateRendering': false, 'isCustom': true}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'MMD-0065-2020 - Linux/Mirai-Fbot\x27s new encryption explained', 'description': 'MalwareMustDie (MMD) is a whitehat workgroup to reduce malware, this blog advocates research on new malware threats \x26 Linux malware.', 'featuredImage': 'https://lh3.googleusercontent.com/58YEFVF-KZsSkmn8kvB8Tgth6VmcLHujsJCXpyic5GrXNHLR9TYqkJpymvzGv2tpMNlN6vdIojrhzoRkYwRg5PLuj7Yj03fdPac-CJUEVSyFeBd1TX52UpHabUOkuaRiBjgiqTrqiW8\x3dw300-h1864-no', 'url': 'https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html', 'type': 'item', 'isSingleItem': true, 'isMultipleItems': false, 'isError': false, 'isPage': false, 'isPost': true, 'isHomepage': false, 'isArchive': false, 'isLabelSearch': false, 'postId': 8300877980843573006}}]);
_WidgetManager._RegisterWidget('_NavbarView', new _WidgetInfo('Navbar1', 'navbar', document.getElementById('Navbar1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HeaderView', new _WidgetInfo('Header1', 'header', document.getElementById('Header1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'main', document.getElementById('Blog1'), {'cmtInteractionsEnabled': false, 'lightboxEnabled': true, 'lightboxModuleUrl': 'https://www.blogger.com/static/v1/jsbin/1619306617-lbx.js', 'lightboxCssUrl': 'https://www.blogger.com/static/v1/v-css/4076883957-lightbox_bundle.css'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML1', 'sidebar-right-1', document.getElementById('HTML1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogSearchView', new _WidgetInfo('BlogSearch1', 'sidebar-right-1', document.getElementById('BlogSearch1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList1', 'sidebar-right-1', document.getElementById('LinkList1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_FeaturedPostView', new _WidgetInfo('FeaturedPost1', 'sidebar-right-1', document.getElementById('FeaturedPost1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList2', 'sidebar-right-1', document.getElementById('LinkList2'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList3', 'sidebar-right-1', document.getElementById('LinkList3'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList4', 'sidebar-right-1', document.getElementById('LinkList4'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_FeedView', new _WidgetInfo('Feed2', 'sidebar-right-1', document.getElementById('Feed2'), {'title': '', 'showItemDate': true, 'showItemAuthor': false, 'feedUrl': 'https://blog.0day.jp/feeds/posts/default?alt\x3drss', 'numItemsShow': 5, 'loadingMsg': 'Loading...', 'openLinksInNewWindow': false, 'useFeedWidgetServ': 'true'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_SubscribeView', new _WidgetInfo('Subscribe1', 'sidebar-right-1', document.getElementById('Subscribe1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML4', 'sidebar-right-1', document.getElementById('HTML4'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_AttributionView', new _WidgetInfo('Attribution1', 'footer-3', document.getElementById('Attribution1'), {}, 'displayModeFull'));
</script>
</body>
</html>